mirrors/nodejs
mirrors/nodejs
0
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2024-12-01 16:10:02 +01:00
Code Issues Releases Activity
14,656 Commits 52 Branches 857 Tags 1.8 GiB
8ff3d61d8b
Commit Graph

24 Commits

Author SHA1 Message Date
Shigeki Ohtsu
dccccbbbe7 test: enable to work pkcs12 test in FIPS mode 
The pfx file created by pkcs12 command of openssl causes an error in
FIPS mode because its certificate is encrypted with RC2 by default.
Adding `-descert` option resolves the error.

Fix: https://github.com/nodejs/node/pull/5144
Fix: https://github.com/nodejs/node/pull/5109
PR-URL: https://github.com/nodejs/node/pull/5150
Reviewed-By: Rich Trott <rtrott@gmail.com>
 2016-02-09 13:05:48 +09:00
Fedor Indutny
a2c1799a5b crypto: load PFX chain the same way as regular one 
Load the certificate chain from the PFX file the same as we do it for a
regular certificate chain.

Fix: #4127
PR-URL: https://github.com/nodejs/node/pull/4165
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
 2015-12-17 20:22:40 -05:00
Stefan Budeanu
20cd932ce0 test: add test for invalid DSA key size 
Check that invalid DSA key sizes are rejected in FIPS mode.

PR-URL: https://github.com/nodejs/node/pull/3756
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Reviewed-By: James M Snell <jasnell@gmail.com>
 2015-11-14 07:53:39 -08:00
Stefan Budeanu
76f40f77f8 test: stronger crypto in test fixtures 
Several test fixtures use use weak crypto (e.g. RC4 or MD5).
Rgenerated the test fixtures to be compatible with FIPS mode.

PR-URL: https://github.com/nodejs/node/pull/3759
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
 2015-11-13 10:22:42 -08:00
Shigeki Ohtsu
3beb880716 crypto: add cert check to CNNIC Whitelist 
When client connect to the server with certification issued by either
CNNIC Root CA or CNNIC EV Root CA, check hash of server
certification in the list of CNNICHashWhitelist.inc. If it's not,
CERT_REVOKED error returns.

See for details in
https://blog.mozilla.org/security/2015/04/02/distrusting-new-cnnic-certificates/

PR-URL: https://github.com/nodejs/io.js/pull/1895
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
 2015-06-16 23:26:29 +09:00
Fedor Indutny
550c2638c0 tls: use SSL_set_cert_cb for async SNI/OCSP 
Do not enable ClientHello parser for async SNI/OCSP. Use new
OpenSSL-1.0.2's API `SSL_set_cert_cb` to pause the handshake process and
load the cert/OCSP response asynchronously. Hopefuly this will make
whole async SNI/OCSP process much faster and will eventually let us
remove the ClientHello parser itself (which is currently used only for
async session, see #1462 for the discussion of removing it).

NOTE: Ported our code to `SSL_CTX_add1_chain_cert` to use
`SSL_CTX_get0_chain_certs` in `CertCbDone`. Test provided for this
feature.

Fix: https://github.com/iojs/io.js/issues/1423
PR-URL: https://github.com/iojs/io.js/pull/1464
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
 2015-05-01 16:56:55 +02:00
Shigeki Ohtsu
3a69b7689b benchmark: add rsa/aes-gcm performance test 
PR-URL: https://github.com/iojs/io.js/pull/1325
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
 2015-04-04 12:37:26 +09:00
Fedor Indutny
687dfc9875 crypto: separate altname extensions with ", " 
In newly introduced `SafeX509ExtPrint` I forgot to insert separators
between extensions, which lead to the "DNS:...DNS:..." thing for npm.

Fix: iojs/io.js#105
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
PR-URL: https://github.com/iojs/io.js/pull/113.patch
 2014-12-11 00:07:58 +07:00
Fedor Indutny
1bb0aeb8f2 crypto: escape DNS altname 
Vulnerability credit goes to:

    Calvin Liang conradjliang@hotmail.com

Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
PR-URL: ...private
 2014-11-08 02:24:07 +03:00
Adam Lippai
11d57a535c tls: fix encoding in certificate-related functions 
Strings are treated as UTF8 instead of one-byte strings when
names are processed and when OpenSSL's ..._print functions are used.

This commit fixes simple/test-tls-peer-certificate-encoding test.

fix #8366
 2014-09-15 17:42:20 +04:00
Shigeki Ohtsu
0dfedb7127 tls, crypto: add DHE support 
In case of an invalid DH parameter file, it is sliently discarded. To
use auto DH parameter in a server and DHE key length check in a
client, we need to wait for the next release of OpenSSL-1.0.2.

Reviewed-By: Fedor Indutny <fedor@indutny.com>
 2014-08-29 00:36:48 +04:00
Fedor Indutny
b3ef289ffb tls: support OCSP on client and server 2014-04-18 02:21:16 +04:00
Fedor Indutny
cc4b6e6e58 crypto: clear error in GetPeerCertificate 
fix #6945
 2014-01-26 03:48:36 +04:00
Erik Dubbelboer
bb909ad642 tls: add ECDH ciphers support 
Switch test fixtures to 1024 bit keys.
 2013-10-30 08:34:47 +01:00
Michael Thomas
4e4860579e test: rebuild keys without asking for password 2012-05-01 01:08:31 +02:00
Lal Jérémy
ef046bf4f6 test: generate 1024-bit keys, pacify openssl 1.0.1 2012-03-22 23:35:22 +01:00
Ryan Dahl
2e40328c82 Extend OpenSSL expiration dates 2011-03-14 11:30:21 -07:00
Theo Schlossnagle
01a864a29d TLS: CRL support 
Needs more tests.
 2011-02-10 00:49:15 -08:00
Ryan Dahl
778fb859c6 New keys, agent1-cert.pem was expired 2011-02-09 18:30:47 -08:00
Greg Hughes
6c32e155d3 Add ext_key_usage to getPeerCertificate 2011-01-27 14:06:40 -08:00
Ryan Dahl
907e569980 Fix expired keys 2011-01-10 16:30:26 -08:00
Ryan Dahl
5d60b06b76 Add 'make test' to test/fixtures/keys/Makefile 2010-12-07 17:13:51 -08:00
Ryan Dahl
ee5366a410 Fix CNs for agent keys; can't be the same as CA's CN 
Also add makefile for easy tweaking.
 2010-12-07 16:36:10 -08:00
Ryan Dahl
5b8c62f7d1 Add broken, but detailed TLS verify test 
Plus a bunch of keys.
 2010-12-07 11:53:41 -08:00